Hi Dann, On September 5, 2003 08:08 pm, Dann Daggett wrote: > But your answer brings up yet another question :) Most people do not > have their own certificate, yet are able to do https transactions with > secure web servers. Does each browser have a default certificate it > presents in this case? And does that need to be verified? If so, how > would I know which root certs need to be available for such cases?
In typical situations (I'm ignoring weird stuff to make things simpler), SSL/TLS will be server authenticated, which is to say that the client and server establish communications that are secure between the two end-points, however it is only the client that has any confidence in the identity of the server. In particular configurations, the server can ask (as part of the handshake) that the client supply a certificate as well, so that both sides are authenticating the identity of the other. Or more accurately, they can authenticate the identity that the certificate (and the CA who signed it) claims the certificate owner to be. Anyway, even if the server does ask for the client to provide a certificate (most secure web-servers don't do this, for example), the client may elect not to. If this happens, it is up to the server to decide whether to continue or not. The client might choose not to authenticate itself because he/she doesn't want to, he/she has no certificate to use, or the certificate(s) that he/she has available are not signed by any of the CA ceritificates that the server mentioned in its CertificateRequest message. (When the server asks the client to authenticate itself, it specifies the ids of those CA certificates it is prepared to trust for authenticating the client). In short, don't worry about it. There are not many situations where SSL/TLS servers (particular web-servers) ask for client authentication. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.openssl.org/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]